github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/docs/job-specification/expose.mdx (about)

     1  ---
     2  layout: docs
     3  page_title: expose Stanza - Job Specification
     4  description: |-
     5    The "expose" stanza allows specifying options for configuring Envoy expose
     6    paths used in Consul Connect integration
     7  ---
     8  
     9  # `expose` Stanza
    10  
    11  <Placement
    12    groups={[
    13      'job',
    14      'group',
    15      'service',
    16      'connect',
    17      'sidecar_service',
    18      'proxy',
    19      'expose',
    20    ]}
    21  />
    22  
    23  The `expose` stanza allows configuration of additional listeners for the default
    24  Envoy sidecar proxy managed by Nomad for [Consul Connect][learn-consul-connect].
    25  These listeners create a bypass of the Connect TLS and network namespace
    26  isolation, enabling non-Connect enabled services to make requests to specific
    27  HTTP paths through the sidecar proxy.
    28  
    29  The `expose` configuration is valid within the context of a `proxy` stanza.
    30  Additional information about Expose Path configurations for Envoy can be found
    31  in Consul's [Expose Paths Configuration Reference][consul-expose-path-config].
    32  
    33  Service [check][] configurations can use their [expose][] parameter to
    34  automatically generate expose path configurations for HTTP and gRPC checks.
    35  
    36  ```hcl
    37  job "expose-check-example" {
    38    datacenters = ["dc1"]
    39  
    40    group "api" {
    41      network {
    42        mode = "bridge"
    43      }
    44  
    45      service {
    46        name = "count-api"
    47        port = "9001"
    48  
    49        connect {
    50          sidecar_service {}
    51        }
    52  
    53        check {
    54          expose   = true
    55          name     = "api-health"
    56          type     = "http"
    57          path     = "/health"
    58          interval = "10s"
    59          timeout  = "3s"
    60        }
    61      }
    62  
    63      task "web" {
    64        driver = "docker"
    65  
    66        config {
    67          image = "hashicorpdev/counter-api:v3"
    68        }
    69      }
    70    }
    71  }
    72  ```
    73  
    74  For uses other than Consul service checks, use the `expose` configuration in the
    75  `proxy` stanza. The example below effectively demonstrates exposing the
    76  `/health` endpoint similar to the example above, but using the fully flexible
    77  `expose` configuration.
    78  
    79  ```hcl
    80  job "expose-example" {
    81    datacenters = ["dc1"]
    82  
    83    group "api" {
    84      network {
    85        mode = "bridge"
    86  
    87        port "api_expose_healthcheck" {
    88          to = -1
    89        }
    90      }
    91  
    92      service {
    93        name = "count-api"
    94        port = "9001"
    95  
    96        connect {
    97          sidecar_service {
    98            proxy {
    99              expose {
   100                path {
   101                  path            = "/health"
   102                  protocol        = "http"
   103                  local_path_port = 9001
   104                  listener_port   = "api_expose_healthcheck"
   105                }
   106              }
   107            }
   108          }
   109        }
   110  
   111        check {
   112          name     = "api-health"
   113          type     = "http"
   114          path     = "/health"
   115          port     = "api_expose_healthcheck"
   116          interval = "10s"
   117          timeout  = "3s"
   118        }
   119      }
   120  
   121      task "web" {
   122        driver = "docker"
   123  
   124        config {
   125          image = "hashicorpdev/counter-api:v3"
   126        }
   127  
   128        # e.g. reference ${NOMAD_PORT_api_expose_healthcheck} for other uses
   129      }
   130    }
   131  }
   132  ```
   133  
   134  ## `expose` Parameters
   135  
   136  - `path` <code>([Path]: nil)</code> - A list of [Envoy Expose Path Configurations][expose_path]
   137    to expose through Envoy.
   138  
   139  ### `path` Parameters
   140  
   141  - `path` `(string: required)` - The HTTP or gRPC path to expose. The path must be prefixed
   142    with a slash.
   143  
   144  - `protocol` `(string: required)` - Sets the protocol of the listener. Must be
   145    `http` or `http2`. For gRPC use `http2`.
   146  
   147  - `local_path_port` `(int: required)` - The port the service is listening to for connections to
   148    the configured `path`. Typically this will be the same as the `service.port` value, but
   149    could be different if for example the exposed path is intended to resolve to another task
   150    in the task group.
   151  
   152  - `listener_port` <code>([Port]: required)</code> - The name of the port to use
   153    for the exposed listener. The port should be configured to [map inside][network-to]
   154    the task's network namespace.
   155  
   156  ## `expose` Examples
   157  
   158  The following example is configured to expose the `/metrics` endpoint of the
   159  Connect-enabled `count-dashboard` service, using the `HTTP` protocol.
   160  `count-dashboard` is expected to listen inside its namespace to port `9001`, and
   161  external services will be able to reach its `/metrics` endpoint by connecting to
   162  the [network interface][network_interface] of the node on the allocated
   163  `metrics` [Port][].
   164  
   165  ```hcl
   166  service {
   167    name = "count-dashboard"
   168    port = "9001"
   169  
   170    connect {
   171      sidecar_service {
   172        proxy {
   173          expose {
   174            path {
   175              path            = "/metrics"
   176              protocol        = "http"
   177              local_path_port = 9001
   178              listener_port   = "metrics"
   179            }
   180          }
   181        }
   182      }
   183    }
   184  }
   185  ```
   186  
   187  ## `path` Examples
   188  
   189  The following example is an expose configuration that exposes a `/metrics`
   190  endpoint using the `http2` protocol (typical for gRPC), and an HTTP `/v2/health`
   191  endpoint.
   192  
   193  ```hcl
   194  proxy {
   195    expose {
   196      path {
   197        path            = "/metrics"
   198        protocol        = "http2"
   199        local_path_port = 9001
   200        listener_port   = "expose"
   201      }
   202      path {
   203        path            = "/v2/health"
   204        protocol        = "http"
   205        local_path_port = 9001
   206        listener_port   = "expose"
   207      }
   208    }
   209  }
   210  ```
   211  
   212  ### Exposing Service Checks
   213  
   214  A common use case for `expose` is for exposing endpoints used in Consul service
   215  check definitions. For these cases the [expose][] parameter in the service check
   216  stanza can be used to automatically generate the expose path configuration.
   217  Configuring a port for use by the check is optional, as a dynamic port will be
   218  automatically generated if not provided.
   219  
   220  ```hcl
   221  check {
   222    expose   = true
   223    type     = "http"
   224    name     = "dashboard-health"
   225    path     = "/health"
   226    interval = "10s"
   227    timeout  = "3s"
   228  }
   229  ```
   230  
   231  [network-to]: /docs/job-specification/network#to
   232  [consul-expose-path-config]: https://developer.hashicorp.com/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference
   233  [expose-path]: /docs/job-specification/expose#path-1
   234  [expose]: /docs/job-specification/service#expose
   235  [path]: /docs/job-specification/expose#path-parameters 'Nomad Expose Path Parameters'
   236  [port]: /docs/job-specification/network#port-parameters 'Nomad Port Parameters'
   237  [network_interface]: /docs/configuration/client#network_interface
   238  [learn-consul-connect]: https://learn.hashicorp.com/tutorials/nomad/consul-service-mesh
   239  [check]: /docs/job-specification/service#check-parameters